Orion security

bleearg13

I've been wrangling for the last month with the idea of giving our customers access to Orion. I've run into a security issue that I'm hoping someone else has seen and has ideas how to fix or has a workaround.

When assigning an interface or node a login ID using an Account Limitation, the user still has access to pages such as AllMaps.asp and MapView.asp. A knowledgeable user can *easily* type in the AllMaps.asp page directly into the browser URL and pull up every map configured on our server. They can also click on each map and see the status of each of the nodes. This is not limited to map pages, either - depending on the type of Account Limitation, whether it's a Node- or Interface-based limitation, the user has access to other pages they shouldn't.

For instance, if the user is based on an Interface Account Limitation, they can access Overview.asp, Syslog.asp, and AllReports.asp (among others). Tons of information about the network being monitored can be gained from these pages. If the user is based on a Node Account Limitation, access to these pages is still available, but it only contains information specific to that account's assigned Node or Nodes.

I understand that the AllMaps problem can be solved by setting file-level permissions on the server, but that doesn't solve the issue for the other pages, since these other pages are required by Node-based Accounts.

Have other members of the forum that provide Orion access to their customers seen this and how did they solve it?

Thanks,
evt

bleearg13

...Bump? Is this just not an issue for *anyone*?